This sample configuration shows a hub and spoke IPsec design between
three routers. This configuration differs from other hub and spoke
configurations because in this example, communication is enabled between the
spoke sites by going through the hub. In other words, there is not a direct
IPsec tunnel between the two spoke routers. All packets are sent across the
tunnel to the hub router where it redistributes them out the IPsec tunnel
shared with the other spoke router. This configuration is possible as a result
of the resolution to Cisco bug ID
CSCdp09904
(registered customers only)
. This fix was integrated into Cisco IOS®
Software Release 12.2(5) and this release is the minimum requirement for this
configuration.

The information in this document is based on these software and
hardware versions.

Cisco IOS Software Release 12.2(24a)
(c2500-ik8s-l.122-24a.bin)

Cisco 2500 routers

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

If you need to add another spoke router (spoke3) to the existing hub
router in addition to spoke1 and spoke2, all that is required is the creation
of a new LAN-to-LAN (L2L) tunnel from the hub to spoke3. However, since only
one crypto map can configured per physical interface, you must use same crypto
map name when adding this tunnel. This is possible when you use different line
numbers for each remote site.

Note: The crypto map might need to be removed and re-applied to the
interface when the new tunnel entry is added. When the crypto map is removed
all active tunnels are cleared.